Re: [squid-users] Need help on SSL bump and certificate chain

From: <>
Date: Mon, 22 Apr 2013 18:36:09 +0200 (CEST)

Dear All!
I've also a problem running ssl-bump with an intermediate CA using a signed
certificate from a CA.
My setup is as follows:
squid-3.3.3-20130418-r12525 with
- https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid33/ssl_cert/server.pem
- ssl_bump server-first all
- sslproxy_cert_error allow all
- sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
following the rules

This is working fine when using my self generated CA for signing the requests,
however I want to get rid of the browser warning so I try to use a CA already
recognized in the browser, what should be possible following this ticket: (already mentioned)

But no matter what I do I can't get rid of the browser warning. If I use a self
signed root CA or certificate squid detects it is self signed and does not
append any intermediate CA or other chain.
If I generate an csr and send it to a CA I get back an .crt and an
intermediate-bundle, pack them up with the key in a single .pem file and restart
squid - then a chain is displayed in the browser but now with one 'cert' to much
(imho) and marked as invalid. Firefox reports sec_error_unknown_issuer, safari
says invalid chain length

For example in the browser details it looks like this:
RootCA (which is marked fine by the browser) -> Intermediate CA (marked invalid)
-> Certificate signed and created by the csr (marked invalid) -> fake
certificate created by squid for the requested site (marked invalid)

If anyone has a running setup without importing the self-signed CA to all
browsers please let me know.

Thanks for any feedback,
Received on Mon Apr 22 2013 - 16:36:17 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 22 2013 - 12:00:06 MDT